Authorize remote execution of privileged commands and remote access to security-relevant information.

By restricting which admins can conduct admin tasks remotely (e.g. via VPN connection) you are reducing the probability of an attacker being able to use a compromised account to access your systems and access security relevant information.

You can choose to completely restrict privileged accounts from accessing your network and system via a remote VPN connection. If that is not feasible see the below options. Document which of your system administrators are allowed to administer your systems via a remote VPN connection. Only place authorized admin accounts in security groups that allow for remote VPN access. Document the type of admin activity your admins can conduct remotely. An example is allowing them to provide desktop support services to end users but not allowing them to log into your active directory server via a VPN connection. Implement this using security groups. Restrict the ability to remotely access security relevant information such as your syslog server.